Bug #51732
closedPermissions Issue in 6.2alpha2 install tool "drwxrws---"
0%
Description
Installing new site from the master branch (Checked out & updated as of Sept 4th)
Copied dummy files into /www/www.domain.com/* with -pr flag after extracting from dummy tar with -xzvf to preserve permissions.
Permissions:
www.domain.com/ 755 drwxr-xr-x
./typo3conf 755 drwxr-xr-x
./typo3temp 755 drwxr-xr-x
./uploads 755 drwxr-xr-x
./fileadmin 755 drwxr-xr-x
Load installer in web browser, on step one no issues reported, APC installed and working, etc. Press "Next".
Permissions have now been changed automatically, breaking web access:
www.domain.com/ 750 drwxrsx---
./typo3conf 750 drwxrsx---
./typo3temp 750 drwxrsx---
./uploads 750 drwxrsx---
./fileadmin 750 drwxrsx---
Manually correcting this with :
find . -type d -exec chmod 755 {} + && find . -type f -exec chmod 644 {} +
Allows me to continue, but this doesn't seem right at all.
I checked out 6.1 HEAD and this works fine, so the issue is definitely introduced in 6.2.x. Soee also had the same issue, reported on the forums here: http://forum.typo3.org/index.php?t=msg&th=198004&#msg_693834
I checked with my host, Apache is running as the same user the files have as their "group" name, but public read/execute is required for them to be served. I believe this is fairly standard for apache configurations, so do not thing that drwxrsx--- is a sane thing to be changing filemodes to ?
Hope this helps, please contact me if you need any more information.
Files
Updated by Den Denyer about 11 years ago
Just to help direct people, this links to commit 2e3c9d5 from Christian Kuhn which was the Install Tool rewrite.
I believe the file :
/typo3/sysext/install/Classes/FolderStructure/DirectoryNode.php
Might be linked to this, as I identified some targetPermissions in there of 2770 which are linked to the issues I'm seeing. Hope this helps!!
Updated by Den Denyer about 11 years ago
It seems as if permissions are modified again prior to or during the first login, as I had to take the same corrective action with the find/chmod command after logging in for the first time.
(First login was a blank screen, presumably due to inability to write cached css)
In fact, if I "flush all caches" and log out, I'm presented with a broken css-less login page, I then run the CHMOD command again at the terminal to reset permissions, refresh the login page and it's back to normal again.
Evidently something feels obligated to reset the permissions or re-writes files with inadequate permissions, it's rather frustrating. I've not yet identified what's doing it and when but thought I'd leave and update.
Updated by Den Denyer about 11 years ago
Interacting with the extension manager also seems to break CSS (Again, permissions related).
Downloading extensions seems to work, but I can't activate/install them, though this might be version related rather than permissions, I have yet to find out.
Updated by Ernesto Baschny about 11 years ago
- Status changed from New to Accepted
- Is Regression set to No
Yes, this is currently indeed suboptimal and needs to be fixed! Thanks for reporting.
Updated by Markus Klein about 11 years ago
- Status changed from Accepted to Needs Feedback
- Target version deleted (
6.2.0)
Is this still a problem?
Updated by Den Denyer about 11 years ago
Last install, the permissions where rwxrws--- which in many cases is pretty infuriating, although they do work well once set up and left alone.
It requires the user to either sudo all creation/management commands on the cmdline as www/apache, or add their user to the web group. On shared hosting, this may not be possible or appropriate, so I can see the current permissions set causing a lot of support enquiries / upset users.
Perhaps a toggle / option is needed for "Install with secure permissions" vs "Install with Other user access permissions" would be useful? I appreciate the devs usually work on locked down personal machines where their users are part of the www-data user group, but many people on various hosting providers won't have this luxury.
Updated by Markus Klein about 11 years ago
- Status changed from Needs Feedback to Accepted
- Target version set to next-patchlevel
Updated by Markus Klein about 11 years ago
- Assignee set to Christian Kuhn
@Christian: I hope you don't mind if I set you as Assignee here, but I guess you've most insight. Thanks.
Updated by Benjamin Schmidt almost 11 years ago
- File Install_Tool_-_System_environment_check.png Install_Tool_-_System_environment_check.png added
- File Install_Tool_-_Folder_structure.png Install_Tool_-_Folder_structure.png added
I do have the same problem with Typo3 version 6.2.0beta3.
Upgrading from version 6.1.7 to 6.2.0beta3 bashed my website by changing the permission of documentroot directory from 0755 to 2770 (setting setuid to a directory, WTF?). This happend after I klicked on "I know what I'am doing, continue!" (Screenshot "Install Tool - System environment check.png"). This is A EPIC FAIL because after this NO single file can be requested anymore over web AND I COULD NOT fix the permission over FTP because its my root directory. I had to fix it over the admin controlpanel.
The Install Tool also wanted to "fix" the permission of other folders (Screenshot "Install Tool - Folder structure.png"):
/typo3temp has wrong permission
Target permission are 2770 but current permission are 0755
/typo3temp/index.html has wrong permission
Target permission are 0660 but current permission are 0644
/typo3temp/compressor has wrong permission
Target permission are 2770 but current permission are 0755
/typo3temp/cs has wrong permission
Target permission are 2770 but current permission are 0755
/typo3temp/Cache has wrong permission
Target permission are 2770 but current permission are 0755
/typo3temp/GB has wrong permission
Target permission are 2770 but current permission are 0755
/typo3temp/llxml has wrong permission
Target permission are 2770 but current permission are 0755
/typo3temp/locks has wrong permission
Target permission are 2770 but current permission are 0755
/typo3temp/pics has wrong permission
Target permission are 2770 but current permission are 0755
/typo3temp/sprites has wrong permission
Target permission are 2770 but current permission are 0755
/typo3temp/temp has wrong permission
Target permission are 2770 but current permission are 0755
/typo3conf has wrong permission
Target permission are 2770 but current permission are 0755
/typo3conf/ext has wrong permission
Target permission are 2770 but current permission are 0755
/typo3conf/l10n has wrong permission
Target permission are 2770 but current permission are 0755
/uploads has wrong permission
Target permission are 2770 but current permission are 0755
/uploads/index.html has wrong permission
Target permission are 0660 but current permission are 0644
/uploads/media has wrong permission
Target permission are 2770 but current permission are 0755
/uploads/media/index.html has wrong permission
Target permission are 0660 but current permission are 0644
/uploads/pics has wrong permission
Target permission are 2770 but current permission are 0755
/uploads/pics/index.html has wrong permission
Target permission are 0660 but current permission are 0644
/uploads/tf has wrong permission
Target permission are 2770 but current permission are 0755
/uploads/tf/index.html has wrong permission
Target permission are 0660 but current permission are 0644
/fileadmin has wrong permission
Target permission are 2770 but current permission are 0755
/fileadmin/_temp_ has wrong permission
Target permission are 2770 but current permission are 0755
/fileadmin/_temp_/.htaccess has wrong permission
Target permission are 0660 but current permission are 0644
/fileadmin/_temp_/index.html has wrong permission
Target permission are 0660 but current permission are 0644
/fileadmin/user_upload has wrong permission
Target permission are 2770 but current permission are 0755
/fileadmin/user_upload/_temp_ has wrong permission
Target permission are 2770 but current permission are 0755
/fileadmin/user_upload/_temp_/index.html has wrong permission
Target permission are 0660 but current permission are 0644
/fileadmin/user_upload/index.html has wrong permission
Target permission are 0660 but current permission are 0644
/ has wrong permission
Target permission are 2770 but current permission are 0755
My hoster is Hostpoint www.hostpoint.ch. They use FreeBSD (Apache/2.2.24 (FreeBSD) DAV/2 mod_ssl/2.2.24 OpenSSL/1.0.1e mod_hcgi/0.9.4).
Take a look at this http://en.wikipedia.org/wiki/Setuid and search for freebsd.
Maybe its best to just not set the setuid bit.
Best regards,
Benjamin Schmidt
Updated by Markus Klein almost 11 years ago
Benjamin. To be more precise, it does not set the setuid flag, but the setgid.
So it does make a lot of sense that the group is preserved for all files and folders in order to be accessible for the webserver.
In your case I consider 0755 a bit strange, because why do "others" need access to your document root?
A proper setup should ensure that the FTP user and the webserver share one group, to enable access for both of them.
Updated by Den Denyer almost 11 years ago
I think the point that myself and Benjamin are alluding to is that many users are forced to work in shared hosting where the user/group setup is far from ideal, or the people who manage the hosting are unwilling to make amendments. In situations such as the more secure permissions settings as detailed here make it impossible to work with the installer, and then obviously Typo3. Unless one wants to either put off new users, or generate a massive amount of incoming support overhead, I would definitely recommend relaxing the permissions settings or, ideally, introducing an option (Dropdown / radio button) in the installer to choose between strict and insecure permissions settings.
Luckily on the install I trashed I had SSH access, I know many people who have hosting that is not even as accommodating as that and if the provided "solution" is to "Change hosting", you may as well be posting them a link to drupal.org :)
I like the idea of secure permissions, it's just I feel a great many people's setups aren't compatible.
Updated by Benjamin Schmidt almost 11 years ago
Hello Markus
You are right, its the setgid, NOT the setuid.
And yes, the 0755 could also be 0700 (for directory). But "Others" still don't have access to my files/directories (even they have 0777) because my DocumentRoot dir is in my customer directory having the right 0700, which means NO access to all it files and subdirectories for others except the owner of this "customer folder". I have tested that.
The main problem is: I wanted to upgraded typo3 from 6.1.7 to 6.2.0beta3 and it failed very bad.
My website is hosted by Hostpoint, which is a big webhoster here in swiss. So I am very sure other users will have the same problem too if nothing changes until final release. And no, I don't work for Hostpoint and I dont think they are causing this issue because of some miscellaneous (I love this word) system configuration.
By the way I also had to change in Install Tool -> All configuration -> $TYPO3_CONF_VARS['BE']:
[BE][fileCreateMask] = 0660
[BE][folderCreateMask] = 2770
to
[BE][fileCreateMask] = 0644
[BE][folderCreateMask] = 0755
Above I never had to change before, and I did an upgrade and not a new fresh installation.
My website still doesn't work. I will report back when it does.
I upgraded to 6.2.0beta3 to help making typo3 better.
Best regards,
Benjamin Schmidt
Updated by Markus Klein almost 11 years ago
At first, thanks to both of you for submitting issues and testing 6.2!
Regarding the All Configuration settings: I guess you need to set this now, since these settings are taken into account everywhere now. (FAL takes care of these)
I fully understand that on shared hosting you usually are not able to change the permissions. (I'm on multiple shared hostings as well, but fortunately never had issues with the directory permissions.)
The problem for me (I can only speak of myself here) is that I can't test such interesting permission setups. I also don't know Hostpoint, but I can tell you that one of the biggest hosters in Austria is also not capable of hosting TYPO3 (because of several problems) even though they pretend to.
I already added Ernesto, our release manager for 6.2, to this ticket and I can only hand this over to him. As far as I know we already have some tickets concerning the permission checking of the Install Tool and there are changes planned to be implemented before the final release.
Updated by Benjamin Schmidt almost 11 years ago
My website is now working with typo3 version 6.2.0beta3 :)
I just had to patch (remove one single line) the following extensions:- multicolumn #54650
- feedforward #54649
- stever_rsscontent (not active any more)
Still, please do not harden typo3 by default if it can cause this much problems.
Nobody really cares about security or privacy today. The very few do, don't have a computer/mobile phone and therefore cant even use typo3. Typo3 must just work and hardening shall be an option for experienced users. But this is just my opinion.
Happy New Year
Updated by Ernesto Baschny over 10 years ago
- Status changed from Accepted to Closed
- Target version changed from next-patchlevel to 6.2.0
This was fixed in #52668. New defaults are 0664 and 2775.